Key developments during June and July 2017 in the area of Technology, Media and Telecommunications (TMT) are summarised as follows.
Ignoring confidentiality obligations and acting unreasonably attracts indemnity costs order The TMT industry is very familiar with the role of confidentiality deeds. It is important to consider the costs implications of failing to comply with the terms of such deeds, particularly the typical requirement that confidential information be returned (or deleted) by a contractor to the customer at the end of the project. In a contested confidentiality claim, the unsuccessful party can generally expect to be subject to a costs order in favour of the successful party. Normally, a party's costs are awarded on the ordinary (solicitor-client) basis, which normally translates to around half of the total costs incurred by the party. However, a court may make an order in certain circumstances for costs on an indemnity basis where it is satisfied, for example, that the unsuccessful party acted particularly unreasonably. This was highlighted in the recent New South Wales Supreme Court decision of Blue Badge Insurance Australia Pty Ltd v Farnan  NSWSC 688. On 30 May 2017, Kunc J ordered costs on an indemnity basis against a former contractor of the plaintiff who had refused to deliver up confidential information when her retainer had ended. His Honour observed the defendant had never had an arguable defence, had ignored numerous opportunities to avoid litigation and had "unreasonably refused a very sensible pre-action offer" made by the plaintiff.
Inadequate notice of online terms In the absence of definitive Australian case law, US decisions regarding the enforceability of online contracts – such as clickwraps, browsewraps and sign-in wraps – continue to be of interest and of relevance to the TMT industry in Australia. We published a case study about a decision of the United States District Court involving Uber last year [here]. Another decision to note was recently handed down by the District Court of Appeal of the State of Florida: Vitacost.com, Inc v James McCants (No. 4D16-3384) (Vitacost). The decision highlights the importance of providing adequate notice to customers about the terms and conditions applying to the relevant transactions. In Vitacost, the purchaser contended there had been inadequate notice of the relevant terms and conditions, which had included an arbitration clause. The seller argued in response that adequate notice had been given by means of a hyperlink to the terms and conditions, which appeared at the bottom of the relevant webpage. The court concluded the hyperlink was inadequate notice because each purchaser had to scroll through multiple pages of products before seeing the hyperlink. The court considered it was significant that the link was labelled "terms and conditions", not "terms and conditions of sale". Furthermore, there was no direction that purchasers should review the terms and conditions prior to purchase. The court considered it was possible to select a product and proceed to check-out without seeing the hyperlink at all. A message stating "Before submitting your order, please take a moment to make sure everything looks good" was described by May J as "hardly an admonition for the purchaser to check and agree to the terms and conditions of sale".
Police disclosure of criminal history not exempt from State privacy principles On 23 June 2017, the NSW Civil and Administrative Tribunal concluded that the NSW Police Force was not exempt from compliance with the applicable information protection principles when disclosing a person's criminal history in response to a routine criminal history check: CTU v NSW Police Force  NSWCATAD 204. Section 27(2) of the Privacy and Personal Information Protection Act 1998 (NSW) provides that the information protection principles contained in the Act do not apply to the NSW Police Force "in connection with the exercise of [its] administrative and educative functions". The Police argued that the sharing of information with the public was a "public" rather than an "administrative" function. However, the Tribunal concluded the provision of criminal history information "where this is done as part of a routine application, is an administrative function according to the ordinary meaning of the term". Nevertheless, the Tribunal rejected the applicant's contention that the disclosure related to a spent conviction and that the information was therefore inaccurate or out of date.
Password protected information likely to be "confidential" A decision handed down on 30 June 2017 by the Federal Court emphasised that misuse of password-protected information is likely to breach an equitable obligation of confidentiality: Digital Central (Assets) Pty Ltd v Stefanovski  FCA 738. The case involved allegations of a breach of a post-contractual restraint by a franchisee. The franchise related to the supply of high graphic quality signage to real estate agents. The franchisee had access to the applicant's password-protected information, including customer lists and an operations manual. There was evidence that the information had been used by a former franchisee in the establishment of a new business, which was sufficient for the Court to find that a breach of confidence had been established. Logan J observed that the information was protected "for good reason" and was "obviously commercially sensitive and useful", his Honour adding that the franchisee "must have known that what lay behind the password was attended with confidentiality obligations". The information included a manual which provided a "complete and proven plan for a successful business".
South Australian Supreme Court grants interlocutory injunctive relief against former senior officer of a technology company The South Australian Supreme Court recently granted a thermal energy storage technology company an injunction against its former Principal Research Officer and Chief Executive Officer who had left the plaintiff to start a competing business: Climate Change Technologies Pty Ltd v Glynn & Ors  SASC 60. The Court accepted the former officer created and possessed confidential information about the plaintiff's IP. Emails before the Court showed he had been planning to use the plaintiff's IP and confidential information through a new company, including with third parties he dealt with when he worked for the plaintiff. The Court was satisfied there was a real likelihood that damages would not be an adequate remedy, given the nature of the plaintiff's work, and the expertise and work undertaken, and proposed to be undertaken, by the defendant. The defendant argued the orders the plaintiff sought were too broad and did not identify the relevant documents or materials. However, the Court pointed out the plaintiff could not identify all relevant documents or materials because many of them were retained on external storage devices that the defendant took with him when he left the plaintiff. An analysis of the devices showed many files relating to the plaintiff's IP had been deleted after he left the plaintiff.
NEW LEGISLATION AND GUIDELINES
APRA deems certain insurance information to be non-confidential Pursuant to section 57(2) of the Australian Prudential Regulation Authority Act 1998 (Cth), APRA can make a determination that certain documents do not contain "confidential information", meaning that disclosure of that information will not be an unlawful use of a "protected document" for the purposes of section 56(2). On 22 June 2017, APRA made a determination relating to information provided by general insurers and Lloyd's underwriters for the purposes of the National Claims and Policies Database (NCPD): Australian Prudential Regulation Authority (confidentiality) determination No 2 of 2017. According to the Explanatory Memorandum, the determination that such data is non-confidential would enable APRA to achieve the original aims of the NCPD, namely, to provide stakeholders with a better understanding of public and product liability insurance and professional indemnity insurance and to help make relevant insurance products more affordable by having more detailed information available to insurers. The Explanatory Memorandum acknowledged that there were legitimate privacy concerns arising out of individual claims and that an appropriate form of privacy masking would have to be implemented.
CSIRO examines the role of blockchain and "smart contracts" CSIRO recently delivered a comprehensive review of how blockchain technology could be adopted across government and industry in Australia with a particular focus on the role of "smart contracts": Risks and Opportunities for Systems Using Blockchain and Smart Contracts (CSIRO Data61, May 2017). Blockchain is a form of cryptography and it involves the use of distributed ledgers. It can be applied for various purposes, including holding, retaining and verifying data. "Smart contracts" are arguably mis-named because they are really pre-programmed responses that enable confirmation that a prescribed event has taken place. The CSIRO report observes that smart contract programs "are typically not very 'smart', and are sometimes not used to execute or monitor legal contracts". The report also states that their status as legal contracts is still open to debate. Nevertheless, the report further observed that a smart contract may provide evidence of there being a legal contract and may be able to facilitate the execution of a legal contract. For example, as the mechanism for the execution of provisions of a legal contract, smart contracts can carry and conditionally transfer digital currency and other digital assets or tokens between parties.
GST exemption to be removed on low-value online sales On 26 June 2017, the Treasury Laws Amendment (GST Low Value Goods) Act 2017 (Cth) was passed, removing the "low value goods exemption" on goods imported into Australia. Effective from 1 July 2018, the amendment to the A New tax System (Goods and Services Tax) Act 1999 (Cth) means that imported goods with a value of less than $1,000 will no longer be exempt from GST. One consequence is that overseas-based retailers, including offshore companies which sell directly to Australian-based consumers, will be required to register for GST and comply with other Australian GST formalities to collect and remit GST if they meet the current registration turnover threshold of $75,000 per annum (that is, if they record $75,000 or more per annum from sales to Australian consumers or are projected to record $75,000 or more over the forthcoming 12 month period). The changes will be of particular relevance to overseas online suppliers to the Australian market. Operators of electronic distribution platforms will be treated as "suppliers" if the goods are purchased through the platform by consumers and brought into Australia with the assistance of either the supplier or the operator.
Digital currency to be treated as "money" for GST purposes On 29 June 2017, the Australian Treasury released draft legislation which would remove the double taxation of digital currency, such as Bitcoin, treating it instead in the same way as money for GST purposes: Treasury Laws Amendment (2017 Measures No. #) Bill 2017. In 2014, the Australian Tax Commissioner determined that digital currencies were not a form of "money" for GST purposes. This meant that the supply of digital currency would effectively be taxed twice – once when initially acquired by the consumer, and again when the currency was used in exchange for other goods or services subject to GST. Under the proposed changes, digital currency will be excluded as a "supply" under the GST Act, and the supply and acquisition of digital currency will generally be disregarded for GST purposes. One exception would be if digital currency is supplied in exchange for money, in which case the transaction would still be subject to GST.
IPND access scheme updated On 20 July 2017, a series of Instruments regulating access by researchers to the Integrated Public Number Database (IPND) were renewed in anticipation of their scheduled sunset date. The IPND is an industry-wide database of public telephone numbers and associated customer information which is established and maintained by Telstra as a condition of its carrier licence. Under section 295A of the Telecommunications Act 1997, the Australian Communications and Media Authority (ACMA) must make a scheme for the granting of authorisation to access the IPND. Since 2007, access has been regulated by a series of Instruments issued by the Minister for Communications, each due to sunset on 1 October 2017. Following review, three Instruments have been replaced and extended. The Telecommunications (Integrated Public Number Database Scheme – Criteria for Deciding Authorisation Applications) Instrument 2017 specifies the criteria that must be applied by ACMA when deciding applications for authorisations for access to personal information contained in the IPND; the Telecommunications (Integrated Public Number Database – Permitted Research Purposes) Instrument 2017 specifies the kinds of public-interest research for which access to the IPND may granted; and the Telecommunications (Integrated Public Number Database – Public Number Directory Requirements) Instrument 2017 specifies requirements which must be satisfied if a directory product is to be considered a "public number directory" for the purposes of section 285(2) of the Act.
POLICIES, REPORTS AND ENQUIRIES
Australian Bureau of Statistics proposes new CPI methodology Many TMT contracts include a "CPI clause", pursuant to which licence or service fees are increased annually in line with the Consumer Price Index. It is important, therefore, that the CPI remains a robust and reliable indicator of inflationary trends. The CPI is reviewed periodically by the Australian Bureau of statistics (ABS) to ensure it continues to meet community needs, with the last comprehensive review being carried out in 2010. The ABS has primarily used the Household Expenditure Survey (HES) to derive CPI weights and traditionally these weights have been updated every 6 years. The ABS has been investigating whether alternative data sources could be used to enable more frequent updating of the CPI and, in particular, whether Household Final Consumption Expenditure (HFCE) data from the national Accounts could be used in this regard. An information paper published by the ABS on 19 June 2017 contains a proposal and methodology for the annual re-weighting of the CPI expenditure class (EC) weight each December quarter using HCEF data, with HES data also being used in the years that it is conducted: Australian Bureau of statistics, Information Paper: An Implementation Plan to Annually Re-weight the Australian CPI, 2017.
ASIC may be authorised to receive intercepted telecommunications material On 20 July 2017, the Australian Government published a Consultation Paper regarding the right of the Australian Securities and Investments Commission (ASIC) to access intercepted telecommunications data. ASIC already has limited rights under the Telecommunications (Interception and Access) Act 1979. It can access stored communications (historical text messages, voicemails and emails) in certain circumstances, but it is not a designated "interception agency" with the ability to seek a warrant to intercept telecommunications, nor is it a "recipient agency" to which lawfully intercepted material can be communicated. The Consultation Paper recommends that, for the purposes of investigating and prosecuting serious offences, such as insider trading, market manipulation and fraud, ASIC should be able to receive lawfully intercepted material. The Consultation Paper acknowledges that it is necessary to balance the privacy rights of individuals against any expansion in ASIC's powers in this regard, and emphasises that any legislative amendment would have to be accompanied by "adequate safeguards to protect against unjustified intrusion into personal privacy".
HEALTH PRIVACY ISSUES
My Health Record system becomes "opt-out". On 1 June 2017, the Department of Health announced that the My Health Record system would change to an "opt-out" model for the 2017-18 year. The My Health Record system (which was formerly known as the Personally Controlled Electronic Health Record system) is an electronic summary of an individual's health information which can be shared online between healthcare providers, but until now, only if the patient had opted in. There has been a disappointingly low level of optional participation since the scheme was established in 2012, and the new arrangement is expected to boost participation to 98% by December 2018.
Privacy complaint about disclosure of a second opinion to the treating surgeon not necessarily unsustainable On 29 June 2017, the Victorian Civil and Administrative Appeals Tribunal dismissed an application to strike out proceedings commenced under the Health Records Act 2001 (Vic), finding that the claim was not "obviously hopeless or unsustainable": Bar v Schneider (Human Rights)  VCAT 957. The complainant had sought a second opinion from an orthopaedic surgeon who then forwarded a copy of his opinion to the treating surgeon, even though the patient did not want his treating surgeon to know that a second opinion was being obtained. The complainant asserted that this amounted to a breach of Health Privacy Principle 2.2. The respondent surgeon contended the patient had provided him with verbal authority to make the disclosure. The surgeon further contended that the disclosure was in accordance with the primary purpose of collection, or alternatively amounted to a lawful secondary purpose, and he sought summary dismissal of the claim under section 75 of the Victorian Civil and Administrative Tribunal Act 1998 (Vic) on the basis that the claim was "frivolous, vexatious, misconceived or lacking in substance". The Tribunal concluded there were genuine areas of contention as to the facts of the case, and the complainant was entitled to have the claim fully heard.
Disclosure of health information by counsellor justifiable in certain circumstances On 14 July 2017, VCAT dismissed a complaint about the use and disclosure of health information obtained by the respondent counsellor: Curran v Loddon Campaspe Centre Against Sexual Assault (Human Rights)  VCAT 999. The applicant, who had received counselling from two different individuals employed by the respondent, was herself enrolled in a diploma course in counselling. She approached a third individual employed by the respondent to enquire whether the respondent could provide her with supervision of the continued counselling of a child she had encountered when engaged in a work placement as part of her study. In the course of the ensuing discussion, it became apparent that information about her own counselling had been divulged. Two weeks later, there was a public confrontation between the applicant and her first counsellor, resulting in the counsellor being granted an interim intervention order. Hampel J ruled that the respondent's primary purpose of making clinical notes was to facilitate adequate oversight of clients and to inform communications between those individuals and the respondent. He considered that the internal disclosure was consistent with the primary purpose of collection, as well as being consistent with the secondary purpose of dealing with the applicant's enquiry, thus satisfying Health Privacy Principles 2.1 and 2.2(a). His honour also ruled that the clinician's disclosure of the applicant's history in the course of applying for an intervention order was made in good faith and therefore amounted to a reasonable belief by the clinician that she faced an imminent threat to her safety, thus justifying that disclosure under HPP 2.2(h)(i).